National Archives Issues New, But Limited, CUI Contract Guidance

The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”). Specifically, the ISOO issued CUI Notice 2018-01, which provides CUI guidance regarding information sharing agreements with non-executive branch entities (herein “IS agreements”) that are not governed by the forthcoming CUI Federal Acquisition Regulation (“FAR”) Clause. Examples of applicable IS agreements include certain contracts, grants, licenses, memoranda of understanding, and information-sharing arrangements. The ISOO guidance provides both mandatory and recommended language for inclusion in IS agreements:

Mandatory CUI Language:

Non-executive branch entities must handle CUI in accordance with Executive Order 13556, 32 CFR 2002, and the CUI Registry;

Misuse of CUI is subject to penalties established in applicable laws, regulations or Government-wide policies; and

Non-executive branch entities must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency’s CUI senior agency official (“SAO ”). When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.

Recommended CUI Language:

Identifying the categories of CUI that the non-executive branch entity will handle, as well as the corresponding handling and safeguarding requirements specified by law and policy;

Identifying where performance of work will occur (e.g., in a government facility or a non-executive branch facility);

Identifying whether the type of equipment and IT systems used to handle CUI will be federal or non-federal IT systems, as well as the applicable technical requirements;

Utilizing National Institute of Standards and Technology (“NIST ”) Special Publication (“SP ”) 800-171 when establishing security requirements to protect CUI on non-federal IT systems;

Whether Government-furnished equipment will be used; and

Any disposition or destruction requirements.

While we continue to await a proposed FAR Clause regarding CUI, contractors should benefit from the additional clarity that this ISOO guidance brings in standardizing CUI provisions for non-FAR based agreements.

Featured Post

Crowell & Moring’s “Trump: The First Year” Series

Join us for Trump: The First Year, Crowell & Moring's series about the regulatory changes emerging from the Trump White House. Please click below to access updates and analysis as news unfolds from Washington, including exclusive webinars, podcasts, and events that address the unsettled regulatory landscape.

Counsel

+1 202.624.2721

Partner

1.202.624.2615

About Data Law Insights

Welcome to our Data Law Insights blog, CrowellDataLaw.com. We focus on a broad spectrum of privacy, e-discovery, cybersecurity, data protection, and information governance issues. Our goal is to provide fresh insights not just on where the law has gone, with new decisions, new laws, new rules, trends, and other developments, but also on where the law looks to be going and where it should go, at least in our view. We bring deep knowledge of standards and principles emerging from the courts, government agencies, and other authorities and integrate our litigation, antitrust, white collar, health care, government contracts, intellectual property, and corporate capabilities to address the most relevant, important, and practical issues, policies, and strategies.